Bug 450331 - when overview is mapped a modifier only shortcut, it works even at lock screen, thus the user's current windows and their contents are exposed.
Summary: when overview is mapped a modifier only shortcut, it works even at lock scree...
Status: RESOLVED FIXED
Alias: None
Product: kwin
Classification: Plasma
Component: effects-overview (show other bugs)
Version: unspecified
Platform: Other Linux
: VHI critical
Target Milestone: ---
Assignee: KWin default assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-15 18:58 UTC by partialtemplate
Modified: 2022-02-17 15:01 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In: 5.24.2
Sentry Crash Report:
nate: Wayland-
nate: X11+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description partialtemplate 2022-02-15 18:58:18 UTC
SUMMARY
when overview is mapped a modifier only shortcut, it works even at the lock screen, thus the user's current windows and their contents are exposed.

STEPS TO REPRODUCE
1. enable the overview effect
2. lock the screen(default : Meta+L) 
3. activate overview effect via a modifier-only-shortcut

OBSERVED RESULT
overview effect activates, the contents of all windows in the current desktop session are shown.
overview itself is unresponsive to user input.
In addition, the CPU seems to overheat.

EXPECTED RESULT
overview effect should not activate when the user is unauthenticated.

SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma:  
(available in About System)
KDE Plasma Version: 5.24.1
KDE Frameworks Version: 5.91.0
Qt Version: 5.15.2

ADDITIONAL INFORMATION
in kwinrc:
[ModifierOnlyShortcuts]
Alt=
Control=
Meta=org.kde.kglobalaccel,/component/kwin,,invokeShortcut,Overview
Shift=
Comment 1 Nate Graham 2022-02-16 22:57:49 UTC
Cannot reproduce on Wayland, trying on X11...
Comment 2 Nate Graham 2022-02-16 23:15:22 UTC
Can reproduce on X11. Raising priority and severity due to the security implications.
Comment 3 David Edmundson 2022-02-16 23:44:22 UTC
We don't expose that in a GUI option anywhere.
Still worth fixing, but not worth being too worried about it.
Comment 4 Bug Janitor Service 2022-02-16 23:56:25 UTC
A possibly relevant merge request was started @ https://invent.kde.org/plasma/kwin/-/merge_requests/2034
Comment 5 Vlad Zahorodnii 2022-02-17 13:42:45 UTC
Git commit aab395f07bcfeca487b7736ddc10902d8510768c by Vlad Zahorodnii, on behalf of David Edmundson.
Committed on 17/02/2022 at 13:01.
Pushed by vladz into branch 'master'.

Check lockscreen status for fullscreen effects

Whilst global shortcuts are blocked by grabbing the keyboard, user set
up manual scripts can still invoke a global action.

Given we already have code to deactivate when locking it makes sense to
also prevent activation.

M  +3    -0    src/effects/desktopgrid/desktopgrid.cpp
M  +3    -0    src/effects/overview/overvieweffect.cpp
M  +3    -0    src/effects/presentwindows/presentwindows.cpp

https://invent.kde.org/plasma/kwin/commit/aab395f07bcfeca487b7736ddc10902d8510768c
Comment 6 Vlad Zahorodnii 2022-02-17 13:51:36 UTC
Git commit 39153cf77aac120476402b21c9fdd357ec1d40ce by Vlad Zahorodnii, on behalf of David Edmundson.
Committed on 17/02/2022 at 13:51.
Pushed by vladz into branch 'Plasma/5.24'.

Check lockscreen status for fullscreen effects

Whilst global shortcuts are blocked by grabbing the keyboard, user set
up manual scripts can still invoke a global action.

Given we already have code to deactivate when locking it makes sense to
also prevent activation.


(cherry picked from commit aab395f07bcfeca487b7736ddc10902d8510768c)

M  +3    -0    src/effects/desktopgrid/desktopgrid.cpp
M  +3    -0    src/effects/overview/overvieweffect.cpp
M  +3    -0    src/effects/presentwindows/presentwindows.cpp

https://invent.kde.org/plasma/kwin/commit/39153cf77aac120476402b21c9fdd357ec1d40ce